Refactor legacy unknwon/com package, improve golangci lint (#19284)

The main purpose is to refactor the legacy `unknwon/com` package.
1. Remove most imports of `unknwon/com`, only `util/legacy.go` imports the legacy `unknwon/com`
2. Use golangci's depguard to process denied packages
3. Fix some incorrect values in golangci.yml, eg, the version should be quoted string `"1.18"`
4. Use correctly escaped content for `go-import` and `go-source` meta tags
5. Refactor `com.Expand` to our stable (and the same fast) `vars.Expand`, our `vars.Expand` can still return partially rendered content even if the template is not good (eg: key mistach).

modules/context/csrf.go

@@ -19,13 +19,14 @@
 package context
 
 import (
+	"encoding/base32"
+	"fmt"
 	"net/http"
 	"time"
 
 	"code.gitea.io/gitea/modules/setting"
+	"code.gitea.io/gitea/modules/util"
 	"code.gitea.io/gitea/modules/web/middleware"
-
-	"github.com/unknwon/com"
 )
 
 // CSRF represents a CSRF service and is used to get the current token and validate a suspect token.
@@ -162,7 +163,12 @@ func prepareOptions(options []CsrfOptions) CsrfOptions {
 
 	// Defaults.
 	if len(opt.Secret) == 0 {
-		opt.Secret = string(com.RandomCreateBytes(10))
+		randBytes, err := util.CryptoRandomBytes(8)
+		if err != nil {
+			// this panic can be handled by the recover() in http handlers
+			panic(fmt.Errorf("failed to generate random bytes: %w", err))
+		}
+		opt.Secret = base32.StdEncoding.EncodeToString(randBytes)
 	}
 	if len(opt.Header) == 0 {
 		opt.Header = "X-CSRFToken"
@@ -211,7 +217,7 @@ func Csrfer(opt CsrfOptions, ctx *Context) CSRF {
 	x.ID = "0"
 	uid := ctx.Session.Get(opt.SessionKey)
 	if uid != nil {
-		x.ID = com.ToStr(uid)
+		x.ID = util.ToStr(uid)
 	}
 
 	needsNew := false